Cryptosystem Based on a Jacobian of a Curve

ABSTRACT

A cryptosystem has a secret based on an order of a group of points on a Jacobian of a curve. In certain embodiments, the cryptosystem is used to generate a product identifier corresponding to a particular product. The product identifier is generated by initially receiving a value associated with a copy (or copies) of a product. The received value is padded using a recognizable pattern, and the padded value is converted to a number represented by a particular number of bits. The number is then converted to an element of the Jacobian of the curve, and the element is then raised to a particular power. The result of raising the element to the particular power is then compressed and output as the product identifier. Subsequently, the encryption process can be reversed and the decrypted value used to indicate validity and/or authenticity of the product identifier.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.09/886,147, filed Jun. 20, 2001, which is hereby incorporated byreference herein. U.S. patent application Ser. No. 09/886,147 claimspriority to and the benefit of U.S. Provisional Application No.60/213,573, filed Jun. 22, 2000, entitled “Short Product ID”, to KristinE. Lauter, Peter L. Montgomery, and Ramarathnam Venkatesan.

TECHNICAL FIELD

This invention relates to cryptography, and more particularly tocryptosystems based on a Jacobian of a curve.

BACKGROUND OF THE INVENTION

As computers have become increasingly commonplace in homes andbusinesses throughout the world, and such computers have becomeincreasingly interconnected via networks (such as the Internet),security and authentication concerns have become increasingly important.One manner in which these concerns have been addressed is the use of acryptographic technique involving a key-based cipher. Using a key-basedcipher, sequences of intelligible data (typically referred to asplaintext) that collectively form a message are mathematicallytransformed, through an enciphering process, into seeminglyunintelligible data (typically referred to as ciphertext). Theenciphering can be reversed, allowing recipients of the ciphertext withthe appropriate key to transform the ciphertext back to plaintext, whilemaking it very difficult, if not nearly impossible, for those withoutthe appropriate key from recovering the plaintext.

Public-key cryptographic techniques are one type of key-based cipher. Inpublic-key cryptography, each communicating party has a public/privatekey pair. The public key of each pair is made publicly available (or atleast available to others who are intended to send encryptedcommunications), but the private key is kept secret. In order tocommunicate a plaintext message using encryption to a receiving party,an originating party encrypts the plaintext message into a ciphertextmessage using the public key of the receiving party and communicates theciphertext message to the receiving party. Upon receipt of theciphertext message, the receiving party decrypts the message using itssecret private key, and thereby recovers the original plaintext message.

The RSA (Rivest-Shamir-Adleman) method is one well-known example ofpublic/private key cryptology. To implement RSA, one generates two largeprime numbers p and q and multiplies them together to get a largecomposite number N, which is made public. If the primes are properlychosen and large enough, it will be practically impossible (i.e.,computationally infeasible) for someone who does not know p and q todetermine them from just knowing N. However, in order to be secure, thesize of N typically needs to be more than 1,000 bits. In somesituations, though, such a large size makes the numbers too long to bepractically useful.

One such situation is found in authentication, which can be requiredanywhere a party or a machine must prove that it is authorized to accessor use a product or service. An example of such a situation is in aproduct ID system for a software program(s), where a user must enter aproduct ID sequence stamped on the outside of the properly licensedsoftware package as proof that the software has been properly paid for.If the product ID sequence is too long, then it will be cumbersome anduser unfriendly.

Additionally, not only do software manufacturers lose revenue fromunauthorized copies of their products, but software manufacturers alsofrequently provide customer support, of one form or another, for theirproducts. In an effort to limit such support to their licensees,customer support staffs often require a user to first provide theproduct ID associated with his or her copy of the product for whichsupport is sought as a condition for receiving support. Many currentmethods of generating product IDs, however, have been easily discernedby unauthorized users, allowing product IDs to be generated byunauthorized users.

Given the apparent ease with which unauthorized users can obtain validindicia, software manufacturers are experiencing considerable difficultyin discriminating between licensees and such unauthorized users in orderto provide support to the former while denying it to the latter. As aresult, manufacturers often unwittingly provide support to unauthorizedusers, thus incurring additional and unnecessary support costs. If thenumber of unauthorized users of a given software product is sufficientlylarge, then these excess costs associated with that product can be quitesignificant. Therefore, a need exists in the art for a technique thatpermits a software manufacturer to appreciably reduce the incidence ofunauthorized copying of its software product, but which is not based onuser entry of impractically long data sequences.

The invention addresses these problems and provides a cryptosystem basedon a Jacobian of a curve.

SUMMARY OF THE INVENTION

A cryptosystem based on a Jacobian of a curve is described herein.

In accordance with one aspect, encryption and decryption are performedbased on a secret. This secret is the order of a group of points on aJacobian of a curve. A variety of different curves can be used, and inone implementation the curve is a hyperelliptic curve over a finitefield.

According to another aspect, the cryptosystem is used to generate aproduct identifier corresponding to a particular copy (or copies) of aproduct. The product identifier is generated by initially receiving avalue associated with one copy (or alternatively multiple copies) of aproduct. The received value is then padded using a recognizable pattern,and the padded value is converted to a number represented by aparticular number of bits. The number is then converted to an element ofthe Jacobian of a curve, which in turn is raised to a particular power.The result of raising the element to the particular power is thencompressed and output as the product identifier.

According to another aspect, the generated product identifier can bevalidated (e.g., during installation of the product) by reversing theencryption process and extracting the padded value. If a correctrecognizable pattern is included in the padded value, then the productidentifier is a valid product identifier. Otherwise, it is not.Furthermore, if the product identifier generation process was based onunique values for each copy of a product, then that unique value canalso be extracted from the padded value and compared (e.g., by theproduct manufacturer) to determine whether it corresponds to the actualproduct (e.g., the product for which installation is being attempted, orfor which service or support is being requested). If the productidentifier does correspond to the actual product, then the productidentifier is authenticated (otherwise, it is not authenticated).

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and notlimitation in the figures of the accompanying drawings. The same numbersare used throughout the figures to reference like components and/orfeatures.

FIG. 1 is a block diagram illustrating an exemplary cryptosystem inaccordance with certain embodiments of the invention.

FIG. 2 illustrates an exemplary system using a product identifier tovalidate software in accordance with certain embodiments of theinvention.

FIG. 3 illustrates an exemplary cryptographic system generator inaccordance with certain embodiments of the invention.

FIG. 4 is a flowchart illustrating an exemplary process for generating aproduct ID number in accordance with certain embodiments of theinvention.

FIG. 5 is a flowchart illustrating portions of the process of FIG. 4 inadditional detail.

FIG. 6 is a flowchart illustrating an exemplary process for decrypting aproduct ID number in accordance with certain embodiments of theinvention.

FIG. 7 illustrates a more general exemplary computer environment whichcan be used in various embodiments of the invention.

DETAILED DESCRIPTION

The discussions herein assume a basic understanding of cryptography bythe reader. For a basic introduction of cryptography, the reader isdirected to a book written by Bruce Schneier and entitled “AppliedCryptography: Protocols, Algorithms, and Source Code in C,” published byJohn Wiley & Sons with copyright 1994 (or second edition with copyright1996).

Described herein is a curve-based cryptosystem that is based on groupswhose size is known to the cryptosystem designer but unknown andbelieved difficult to determine for attackers of the cryptosystem. Thecurve-based encryption and decryption described herein refers toencryption and decryption that uses keys that are generated based onaspects or characteristics of a mathematical curve. The curve-basedcryptosystem is based on the Jacobian of the curve being used, and thesecret group size is the size of the group of points on the Jacobian ofthe curve. The curve-based cryptosystem can be used to encrypt any of awide variety of information, and is described herein primarily withrespect to generation of a “short” signature or product identifier,which is a code that allows validation and/or authentication of amachine, program, user, etc. The signature is a “short” signature inthat it uses a relatively small number of characters.

FIG. 1 is a block diagram illustrating an exemplary cryptosystem inaccordance with certain embodiments of the invention. The cryptosystem100 includes an encryptor 102 and a decryptor 104. A plaintext message106 is received at an input module 108 of encryptor 102, which is acurve-based encryptor that encrypts message 106 based on a public keygenerated based on a secret group size (known only by decryptor 104).This secret group size is the size of the group of points on theJacobian of the curve being used, and is discussed in more detail below.Plaintext message 106 is typically an unencrypted message, althoughencryptor 102 can encrypt any type of message. Thus, message 106 mayalternatively be encrypted or encoded by some other component (notshown) or a user.

An output module 110 of encryptor 102 outputs the encrypted version ofplaintext message 106, which is ciphertext 112. Ciphertext 112 can thenbe communicated to decryptor 104, which can be implemented, for example,on a computer system remote from a computer system on which encryptor102 is implemented. Given the encrypted nature of ciphertext 112, thecommunication link between encryptor 102 and 104 need not be secure (itis typically presumed that the communication link is not secure). Thecommunication link can be any of a wide variety of public and/or privatenetworks implemented using any of a wide variety of conventional publicand/or proprietary protocols, and including both wired and wirelessimplementations. Additionally, the communication link may include othernon-computer network components, such as hand-delivery of mediaincluding ciphertext or other components of a product distributionchain.

Decryptor 104 receives ciphertext 112 at input module 114 and, beingaware of the secret group size used to encrypt message 106 (as well asthe necessary exponent), is able to readily decrypt ciphertext 112 torecover the original plaintext message 106, which is output by outputmodule 116 as plaintext message 118. Decryptor 104 is a curve-baseddecryptor that decrypts the message based on the size of the group ofpoints on the Jacobian of the curve (the same value as was used byencryptor 102), and is discussed in more detail below. Encryption anddecryption are performed in cryptosystem 100 based on a secret, which isthe size of the group of points on the Jacobian of curve. This secret isknown to decryptor 104, and a public key generated based on the secretis known to encryptor 102. This knowledge allows encryptor 102 toencrypt a plaintext message that can be decrypted only by decryptor 104.Other components, including encryptor 102, which do not have knowledgeof the secret cannot decrypt the ciphertext (although decryption may betechnically possible, it is not computationally feasible). Similarly,decryptor 104 can also generate a message using the secret and based ona plaintext message, a process referred to as digitally signing theplaintext message. This signed message can then be communicated to othercomponents, such as encryptor 102, which can in turn verify the digitalsignature based on the public key.

FIG. 2 illustrates an exemplary system using a product identifier tovalidate software in accordance with certain embodiments of theinvention. FIG. 2 illustrates a software copy generator 120 including aproduct identifier (ID) generator 122. Software copy generator 120produces software media 124 (e.g., a CD-ROM, DVD (Digital VersatileDisk), etc.) that contains typically all the files needed tocollectively implement a complete copy of one or more applicationprograms, (e.g., a word processing program, a spreadsheet program, anoperating system, a suite of programs, and so forth). These files arereceived from source files 126, which may be a local source (e.g., ahard drive internal to generator 120), a remote source (e.g., coupled togenerator 120 via a network), or a combination thereof. Although only asingle generator 120 is illustrated in FIG. 2, typically multiple suchgenerators operate individually and/or cooperatively to increase therate at which software media 124 can be generated.

Product ID generator 122 generates a product ID 128 that can includenumbers, letters, and/or other symbols. Generator 122 generates productID 128 using the curve-based encryption process described herein. Theproduct ID 128 is typically printed on a label and affixed to either acarrier containing software media 124 or a box into which software media124 is placed. Alternatively, the product ID 128 may be made availableelectronically, such as a certificate provided to a user when receivinga softcopy of the application program via an on-line source (e.g.,downloading of the software via the Internet). The product ID can servemultiple functions. First, the product ID can be cryptographicallyvalidated in order to verify that the product ID is a valid product ID(and thus allowing, for example, the application program to beinstalled). Additionally, the product ID can optionally serve toauthenticate the particular software media 124 to which it isassociated.

The generated software media 124 and associated product ID 128 are thenprovided to a distribution chain 130. Distribution chain 130 representsany of a variety of conventional distribution systems and methods,including possibly one or more “middlemen” (e.g., wholesalers,suppliers, distributors, retail stores (either on-line or brick andmortar), etc.). Regardless of the manner in which media 124 and theassociated product ID 128 are distributed, eventually media 124 andproduct ID 128 are purchased (e.g., licensed), by the user of a clientcomputer 132.

Client computer 132 includes a media reader 134 capable of readingsoftware media 124 and installing the application program onto clientcomputer 132 (e.g., installing the application program on to a hard diskdrive (not shown) of client computer 132). Part of this installationprocess involves entry of the product ID 128. This entry may be a manualentry (e.g., the user typing in the product ID via a keyboard), oralternatively an automatic entry (e.g., computer 132 automaticallyaccessing a particular field of a license associated with theapplication program and extracting the product ID therefrom). Clientcomputer 132 also includes a product ID validator 136 which validates,during installation of the application program, the product ID 128. Thisvalidation is performed using the curve-based decryption describedherein. If validator 136 determines that the product ID is valid, thenan appropriate course of action is taken (e.g., an installation programon software media 124 allows the application to be installed on computer132). However, if validator 136 determines that the product ID isinvalid, then a different course of action is taken (e.g., theinstallation program terminates the installation process preventing theapplication program from being installed).

Product ID validator 136 also optionally authenticates the applicationprogram based on the product ID 128. This authentication verifies thatthe product ID 128 entered at computer 132 corresponds to the particularcopy of the application be accessed. The authentication can be performedat different times, such as during installation, or when requestingproduct support or an upgrade. Alternatively, this authentication may beperformed at a remote location (e.g., at a call center when the user ofclient computer 132 calls for technical support, the user may berequired to provide the product ID 128 before receiving assistance).

If the application program manufacturer desires to utilize theauthentication capabilities of the product ID, then the product IDgenerated by generator 122 for each copy of an application program isunique. This uniqueness is created by assigning a different initialnumber or value to each copy of the application program (this initialvalue is then used as a basis for generating the product ID, asdiscussed in more detail below). The unique value associated with thecopy of the application program is then optionally maintained by themanufacturer as an authentication record 138 (e.g., a database or list)along with an indication of the particular copy of the applicationprogram. This indication can be, for example, a serial number embeddedin the application program or on software media 124, and may be hiddenin any of a wide variety of conventional manners. Alternatively, theindividual number itself may be a serial number that is associated withthe particular copy, thereby allowing the manufacturer to verify theauthenticity of an application program by extracting the initial valuefrom the product ID and verifying that it is the same as the serialnumber embedded in the application program or software media 124.

Appropriate action can be taken based on whether the product ID isauthenticated. These actions can vary, depending on the manufacturer'sdesires and/or action being taken at computer 132 that caused theauthentication check to occur. For example, if a user is attempting toinstall an application program then installation of the program may beallowed only if the authentication succeeds. By way of another example,the manufacturer's support technicians may provide assistance to a userof computer 132 only if the authentication succeeds, or an upgradeversion of the application program may be installed only ifauthentication of the previous version of the application programsucceeds.

FIG. 3 illustrates an exemplary cryptographic system generator inaccordance with certain embodiments of the invention. The generatorsystem 150 generates a cryptosystem based on a secret that is the sizeof a group of points on the Jacobian of a curve. The cryptosystemgenerated by system 150 can be used, for example, to implement thesystem 100 in FIG. 1 or the product ID based system of FIG. 2. Thesystem 150 includes a curve selection module 152 and a cryptographicsystem generation module 154. Curve selection module 152 receives a setof one or more parameters 156 as inputs and selects a curve to be usedbased on the parameters 156. In one implementation, parameters 156include an indication of the genus of the curve and a size (e.g., inbits) that the product identifier should be. Curve selection module 152can then select a curve based on these parameters in any of a variety ofwell-known manners. In one implementation the selected curve is ahyperelliptic curve, although in alternate implementations other curvesmay be used. Curve selection module 152 then provides the selected curveto cryptographic system generation module 154. Cryptographic systemgeneration module 154 generates the cryptographic system, determiningthe group and the size of the group (which is the secret that is beingmaintained).

More specifically, curve selection module 152 selects a hyperellipticcurve given by the equation y²=f(x), referred to herein as the equationC, over a finite field F_p, where p is a prime number and where f is apolynomial of degree 2·g+1 and g is the genus of the hyperellipticcurve. The genus of the curve may be any of a variety of values, and inone implementation the genus is at least 2. Given this selected curve,cryptographic system generation module 154 determines the Jacobian J(C)over the finite field F_p for the curve. The group of points on theJacobian J(C) is denoted by J(C)(F_p), and the order of J(C)(F_p), alsoreferred to as the size of J(C)(F_p) or the number of elements inJ(C)(F_p), is secret. The order of J(C)(F_p) can be selected by thecryptosystem designer and made available to cryptosystem generationmodule 154 (e.g., as one of parameters 156, or alternativelyseparately).

An element of the group J(C) is called a divisor on the curve, and it isgiven as a pair of polynomials (a(x),b(x)) where degree(a)≦g, wheredegree(b)<degree(a), and where a(x) divides (b(x)²−f(x)). Each elementin the group J(C) has a unique (a(x),b(x)) if a(x) is required to bemonic (which it is in one implementation). Alternatively, b(x) could bereplaced with b(x)+(some multiple of a(x)), which also results in eachelement in the group J(C) having a unique (a(x),b(x)) ifdegree(b(x))≦degree(a(x)). Addition of elements of the Jacobian isperformed via operations on the polynomials a(x) and b(x). For ease ofunderstanding, the Jacobian of a curve can be thought of as a multisetwith at most g points on the curve, where g is the genus of the curve.These points on the curve can lie in an algebraic extension of thefinite field, and the multiset does not include both a point and itsnegative.

The generation of the Jacobian of a curve, as well as performingoperations in the Jacobian, are well-known to those skilled in the art.However, for additional information on Jacobians, the reader is directedto David Mumford, Tata Lectures on Theta, Volume 2 (Birkhauser 1984),and American Mathematical Society journal, Mathematics of Computation,Volume 48, number 177, January 1987, pp 95-101.

Knowing how to perform group operations on the Jacobian, an element P ofthe Jacobian can be raised to a publicly available exponent e (that is,P^(e)), with this result P^(e) also being on the Jacobian. The valueP^(e) can then be transmitted over a non-secure communication link (orstored in a non-secure manner), and the privacy of the value Pmaintained because an attacker cannot readily recover P without knowingthe secret group size (the order of J(C)(F_p)). If the group size isknown, however, then a value d can be readily determined so that thevalue P^(e) can be raised to the value d (that is, (P^(e))^(d)), whichrecovers the value of P. It is very difficult (computationallyinfeasible) to recover the value of P based on the value P^(e) withoutknowing the secret group size.

The value of e can be any value, but larger prime values typicallyprovide greater security. In one implementation, the value of e is65,537. The value of d can be readily determined by solving for d suchthat e·d=1 mod |G|, where |G| refers to the secret group size (that is,to the order of J(C)(F_p)).

A point P that is on the Jacobian can be digitally signed in ananalogous manner. The point P is raised to the secret exponent d (thatis, P^(d)). The value P^(d) can then be communicated or otherwise madeavailable to another device that knows the publicly available exponente. The value of P can then be recovered by raising the value P^(d) tothe value e (that is, (P^(d))^(e)) However, without knowing the secretgroup size, a false value pd that resulted in a valid value of P couldnot be created by an attacker because the attacker could not generatethe value d.

FIG. 4 is a flowchart illustrating an exemplary process for generating aproduct ID number in accordance with certain embodiments of theinvention. The process of FIG. 4 is implemented by product ID generator122 of FIG. 2, and may be performed in software. The process of FIG. 4replaces RSA with a signature scheme that produces a product ID shortenough for practical use while still providing adequate security againstattack. This scheme produces a signature based on a secret, with thesecret being the order of a group of points on the Jacobian of a curve.

Initially, a number M is received (act 202). Each number M is associatedwith a particular copy of a product for which the product IDs are beinggenerated. The number of bits in M can vary, but should be large enoughso that a unique number M can be assigned to each copy of the product.In one implementation, the number M is approximately 64 bits. Byassigning a unique number M to each copy of the product, the individualproducts can subsequently be identified (based on the product ID number,as discussed below). Alternatively, if identification of the individualcopies is not needed or desired, then M need not be unique for each copyof the product.

The value of M is then padded with a recognizable pattern (act 204) andconverted to an n-bit number (act 206). Any of a variety of recognizablepatterns can be used, and in one implementation the recognizable patternis generated by repeating at least a portion of the number M. Thisrecognizable pattern can be subsequently used during decryption toverify the validity of a product ID, as discussed below. In oneimplementation, the value of n is 114, so the padded value is convertedto a 114-bit number (in alternate implementations, the value of n can bedifferent, such as 112 (or alternatively much larger or smaller than114)). The value of 114 provides for approximately 24²⁵ differentsequences of numbers, allowing a product ID to be 25 characters (thusrequiring a user to enter only 25 key strokes), each of which can be oneof 24 different characters (including letters, numbers, and symbols).Alternatively, only the digits 0 through 9 may be used, which reducesthe number of different sequences that can be entered using 24characters, but also reduces the number of different characters that auser may need to enter.

FIG. 5 is a flowchart illustrating an exemplary implementation of acts204 and 206 in additional detail. First, a value of N is set as n/2 (act250). So, assuming a value of n=114, the value of N is 57. A value y(also referred to as the padded version of M) is then calculated basedon the received value M (act 252). The value y is calculated byconcatenating x (where x=M) twice and dropping the bits in excess of n.In one implementation, the most significant excess bits are dropped(alternatively, the least significant excess bits may be dropped). Thus,assuming a value of n=114 and M is 64 bits, the value x would beconcatenated with itself to create a 128-bit number, and the fourteenmost significant bits dropped.

Then four functions F1, F2, F3, and F4 are defined (act 254), with thefunctions F1, F2, F3, and F4 mapping L-bit inputs to N-bit outputs in arandom (or seemingly random) manner. In one implementation, these fourfunctions F1, F2, F3, and F4 is each assumed to have N-bit outputs whereN is less than L:

F1(x)=LSB N [H (K,1,x)]

F2(x)=LSB N [H(K,2,x)]

F3(x)=LSB N [H(K,3,x)]

F4(x)=LSB N [H(K,4,x)]

In F1, F2, F3, and F4, the value H is a secure hash function (e.g., SHA,MD5, etc.) having L bits of output, the value x is the input value forthe function, the other inputs to H (K,1; K,2; K,3; and K,4) eachrepresent a random (or pseudo-random) cryptographic key (in oneimplementation at least 100 bits long), and LSB N(W) means output the Nleast significant bits of W. The cryptographic keys input to H (K,1;K,2; K,3; and K,4) are each different (although alternatively one ormore may be the same) and can be of differing lengths). The use of thesefunctions F1, F2, F3, and F4 are discussed in more detail below.

An input string is then defined as two strings A,B (act 256) each of Nbits, and each of A,B having half the bits of the value y (e.g., A beingthe n/2 most significant bits and B being the n/2 least significantbits). Next, a function is used that accepts two N-bit input strings andoutputs a 2N-bit string (act 258). The outputs will be presumablyrandom-looking. The function is defined using the following pseudocodethat employs concurrent assignments (all assignments on one line aredone concurrently):

(L, R)=(A, B);

(L, R)=(R, F1(R)+L mod 2ˆN);

(L, R)=(R, F2(R)+L mod 2ˆN);

(L, R)=(R, F3(R)+L mod 2ˆN);

(L, R)=(R, F4(R)+L mod 2ˆN);

Output L, R.

The final output of L,R is the mapping that converts the padded numberinto n bits, providing the n-bit number in act 206.

Returning to FIG. 4, given the n-bit number from act 206, the n-bitnumber is converted to an element P of the Jacobian of the curve (act208). The value of n (e.g., 114) is approximately the length of g fieldelements minus a few bits used for point compression depending on g. Ifg=2, then only one bit is needed for compression. Thus, p isapproximately n/g bits long, and the order of the group is approximatelyp^(g) elements.

In act 208, the n-bit number is converted to the coefficients of a monicirreducible polynomial a(x) of degree g, where the curve is given by theequation y²=f(x), where f(x) has degree 2·g+1, and where a(x) is monic.There are approximately p^(g)/g possible a(x). The expression b(x)²=f(x)mod a(x) is then solved for b(x). In other words, a square root is foundof f(x) modulo a(x). The square root may not always exist, so if it doesnot, a new n-bit number is generated by generating new values of A,B inact 256 of FIG. 5. In one implementation, the value of A remainsunchanged but the value of B is modified to change one or more of thelast bits of B (e.g., by incrementing the value of B by one (oralternatively by some other amount)). The process then continues (at act258) with the new values of A,B, and act 208 is repeated with the newn-bit number. When g is odd, the existence of a square root can beguaranteed by using two dual curves y²=f(x) and y²=cf(x), where c is aquadratic non-residue modulo p. An alternative method is to convert then-bit number to the polynomial b(x) and then identify an a(x) of theappropriate degree dividing (b(x)²−f(x)). Regardless of the method used,the element P is then (a(x), b(x)).

The element P is then raised to the power of a secret exponent value d(act 210). Assuming a public exponent e is fixed, and J is the order ofthe group of points on the Jacobian of the curve over the field F_p,then the value d is computed as the inverse of e modulo J. The element Praised to the power of d refers to the element P being added to itself dtimes in the group J(C). The value Q is set as the value P raised to thepower of d (act 212), with Q=P^(d)=(q1(x),q2(x)).

The value Q is then output in compressed form as the product ID number(214). The value Q includes the coefficients of q1(x) with a few extrabits to specify q2(x). Q is output in compressed form by taking the gcoefficients of q1(x) plus the extra bits needed to specify q2(x). q1 isassumed to be monic. Details in an exemplary case where g=2 are asfollows: q1(x) is either quadratic split, quadratic irreducible, linear,or constant (equals the identity in the group), depending on its degreeand its factorization over the base field. An exemplary implementationof g=2 compression uses two values r1, r2 with 0<=r1<=p and0<=r2<=(3p−1)/2, plus a sign bit s, which is (p+1)(3p+1) possiblevalues. Fix a quadratic non-residue c in the field GF(p). The cases are:0<=r1,r2<p  (1)

The tuple (r1, r2, s) is a compression in which the quadraticq1(x)=(x+r1)(x+r2) has two linear factors. When r1≠r2, the orderingr1<r2 or r2<r1 and the sign bit s together distinguish the (up to) fourpossible q2(x). When r1=r2, the sign bit s distinguishes the (up to) twopossible q2(x).0<=r1<p and p<r2<=(3p−1)/2.  (2)

The tuple (r1, r2, s) is a compression in which q1(x)=(x+r1)ˆ2−c(r2−p)ˆ2 is an irreducible quadratic over GF(p). The sign bit sdistinguishes the (up to) two possible q2(x).r2=p and 0<=r1<p.  (3)

The tuple (r1, r2, s) is a compression in which q1(x)=x+r1 is linear.The sign bit s distinguishes the (up to) two possible q2(x).r1=r2=p  (4)

-   -   The tuple (r1, r2, s) is a compression in which q1(x)=1        (constant) and q2(x)=0. This is the identity element of the        Jacobian.

For this application (product IDs), the sign bit s can be suppressed,because Q1=(q1(x), q2(x)) and Q2=(q1(x), −q2(x)) are negatives(inverses) of each other in the Jacobian group. Whether we later computeQ1 ^(e) or Q2 ^(e) in act 212, its first component a(x) will be the samewhether we start with Q1 or Q2, because Q1 ^(e) and Q2 ^(e) arethemselves inverses. By omitting s, the compressed form takes on only(p+1)(3p+1)/2 possible values.

A significant advantage of the cryptosystem described herein isdrastically shorter signature length for the same amount of securityagainst attack. The system described herein provides a solution to theproblem of short signatures in asymmetric cryptosystems where theparties authenticating one another do not share a previously establishedprivate secret key.

FIG. 6 is a flowchart illustrating an exemplary process for decrypting aproduct ID number in accordance with certain embodiments of theinvention. The process of FIG. 4 is implemented by product ID validator136 of FIG. 2, and may be performed in software. The process of FIG. 6is the inverse of the process of FIG. 4.

Initially, the product ID number is received (act 302) and decompressedto obtain the divisor Q (act 304). The divisor Q is then raised to thepower e in order to recover the value of P (act 306). The value of P isthen converted back to an n-bit number (act 308), and the conversionprocess reversed to obtain the padded version of M from the n-bit number(act 310). The padded version of M is obtained by reversing acts 256 and258 of FIG. 5 (including reversing the pseudocode discussed withreference to act 258), so the four functions F1, F2, F3, and F4 are usedto generate the strings A and B which are then combined (concatenated),resulting in the padded version of M (the value y in act 252).

A check is then made as to whether the padded version of M has therecognizable pattern (act 312). If the padded version of M does not havethe recognizable pattern then the received product ID is invalid (act314). Appropriate action can then be taken, such as to terminate theinstallation process so that the application cannot be installed on thecomputer. However, if the padded version does have the recognizablepattern, then the product ID is assumed valid (act 316). Appropriateaction can then be taken, such as allowing the installation process tocomplete.

Additionally, optionally a check may be made as to whether the value Mcorresponds to the product (act 318). In other words, does the value Mcorrespond to the particular copy of the product that it is allegedlyassociated with? This checking can be made in a variety of differentmanners, such as comparing the value M to a serial number embedded inthe product.

If the value M does correspond to the product, then the product issuccessfully authenticated (act 320). However, if the value M does notcorrespond to the product, then the product is not authenticated (act322). Appropriate action can then be taken, such as to log (e.g., at themanufacturer) the failed authentication, disable the product, and so on.

FIG. 7 illustrates a more general exemplary computer environment 400,which can be used in various embodiments of the invention. The computerenvironment 400 is only one example of a computing environment and isnot intended to suggest any limitation as to the scope of use orfunctionality of the computer and network architectures. Neither shouldthe computer environment 400 be interpreted as having any dependency orrequirement relating to any one or combination of components illustratedin the exemplary computer environment 400.

Computer environment 400 includes a general-purpose computing device inthe form of a computer 402. Computer 402 can implement, for example,encryptor 102 or decryptor 104 of FIG. 1, generator 120 or clientcomputer 132 of FIG. 2, either or both of modules 152 and 153 of FIG. 3,and so forth. Computer 402 represents any of a wide variety of computingdevices, such as a personal computer, server computer, hand-held orlaptop device, multiprocessor system, microprocessor-based system,programmable consumer electronics (e.g., digital video recorders),gaming console, cellular telephone, network PC, minicomputers, mainframecomputer, distributed computing environment that include any of theabove systems or devices, and the like.

The components of computer 402 can include, but are not limited to, oneor more processors or processing units 404, a system memory 406, and asystem bus 408 that couples various system components including theprocessor 404 to the system memory 406. The system bus 408 representsone or more of any of several types of bus structures, including amemory bus or memory controller, a peripheral bus, an acceleratedgraphics port, and a processor or local bus using any of a variety ofbus architectures. By way of example, such architectures can include anIndustry Standard Architecture (ISA) bus, a Micro Channel Architecture(MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics StandardsAssociation (VESA) local bus, and a Peripheral Component Interconnects(PCI) bus also known as a Mezzanine bus.

Computer 402 typically includes a variety of computer readable media.Such media can be any available media that is accessible by computer 402and includes both volatile and non-volatile media, removable andnon-removable media.

The system memory 406 includes computer readable media in the form ofvolatile memory, such as random access memory (RAM) 410, and/ornon-volatile memory, such as read only memory (ROM) 412. A basicinput/output system (BIOS) 414, containing the basic routines that helpto transfer information between elements within computer 402, such asduring start-up, is stored in ROM 412. RAM 410 typically contains dataand/or program modules that are immediately accessible to and/orpresently operated on by the processing unit 404.

Computer 402 may also include other removable/non-removable,volatile/non-volatile computer storage media. By way of example, FIG. 7illustrates a hard disk drive 416 for reading from and writing to anon-removable, non-volatile magnetic media (not shown), a magnetic diskdrive 418 for reading from and writing to a removable, non-volatilemagnetic disk 420 (e.g., a “floppy disk”), and an optical disk drive 422for reading from and/or writing to a removable, non-volatile opticaldisk 424 such as a CD-ROM, DVD-ROM, or other optical media. The harddisk drive 416, magnetic disk drive 418, and optical disk drive 422 areeach connected to the system bus 408 by one or more data mediainterfaces 425. Alternatively, the hard disk drive 416, magnetic diskdrive 418, and optical disk drive 422 can be connected to the system bus408 by one or more interfaces (not shown).

The disk drives and their associated computer-readable media providenon-volatile storage of computer readable instructions, data structures,program modules, and other data for computer 402. Although the exampleillustrates a hard disk 416, a removable magnetic disk 420, and aremovable optical disk 424, it is to be appreciated that other types ofcomputer readable media which can store data that is accessible by acomputer, such as magnetic cassettes or other magnetic storage devices,flash memory cards, CD-ROM, digital versatile disks (DVD) or otheroptical storage, random access memories (RAM), read only memories (ROM),electrically erasable programmable read-only memory (EEPROM), and thelike, can also be utilized to implement the exemplary computing systemand environment.

Any number of program modules can be stored on the hard disk 416,magnetic disk 420, optical disk 424, ROM 412, and/or RAM 410, includingby way of example, an operating system 426, one or more applicationprograms 428, other program modules 430, and program data 432. Each ofsuch operating system 426, one or more application programs 428, otherprogram modules 430, and program data 432 (or some combination thereof)may implement all or part of the resident components that support thedistributed file system.

A user can enter commands and information into computer 402 via inputdevices such as a keyboard 434 and a pointing device 436 (e.g., a“mouse”). Other input devices 438 (not shown specifically) may include amicrophone, joystick, game pad, satellite dish, serial port, scanner,and/or the like. These and other input devices are connected to theprocessing unit 404 via input/output interfaces 440 that are coupled tothe system bus 408, but may be connected by other interface and busstructures, such as a parallel port, game port, or a universal serialbus (USB).

A monitor 442 or other type of display device can also be connected tothe system bus 408 via an interface, such as a video adapter 444. Inaddition to the monitor 442, other output peripheral devices can includecomponents such as speakers (not shown) and a printer 446 which can beconnected to computer 402 via the input/output interfaces 440.

Computer 402 can operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computingdevice 448. By way of example, the remote computing device 448 can be apersonal computer, portable computer, a server, a router, a networkcomputer, a peer device or other common network node, and the like. Theremote computing device 448 is illustrated as a portable computer thatcan include many or all of the elements and features described hereinrelative to computer 402.

Logical connections between computer 402 and the remote computer 448 aredepicted as a local area network (LAN) 450 and a general wide areanetwork (WAN) 452. Such networking environments are commonplace inoffices, enterprise-wide computer networks, intranets, and the Internet.

When implemented in a LAN networking environment, the computer 402 isconnected to a local network 450 via a network interface or adapter 454.When implemented in a WAN networking environment, the computer 402typically includes a modem 456 or other means for establishingcommunications over the wide network 452. The modem 456, which can beinternal or external to computer 402, can be connected to the system bus408 via the input/output interfaces 440 or other appropriate mechanisms.It is to be appreciated that the illustrated network connections areexemplary and that other means of establishing communication link(s)between the computers 402 and 448 can be employed.

In a networked environment, such as that illustrated with computingenvironment 400, program modules depicted relative to the computer 402,or portions thereof, may be stored in a remote memory storage device. Byway of example, remote application programs 458 reside on a memorydevice of remote computer 448. For purposes of illustration, applicationprograms and other executable program components such as the operatingsystem are illustrated herein as discrete blocks, although it isrecognized that such programs and components reside at various times indifferent storage components of the computing device 402, and areexecuted by the data processor(s) of the computer.

Computer 402 typically includes at least some form of computer readablemedia. Computer readable media can be any available media that can beaccessed by computer 402. By way of example, and not limitation,computer readable media may comprise computer storage media andcommunication media. Computer storage media includes volatile andnonvolatile, removable and non-removable media implemented in any methodor technology for storage of information such as computer readableinstructions, data structures, program modules or other data. Computerstorage media includes, but is not limited to, RAM, ROM, EEPROM, flashmemory or other memory technology, CD-ROM, digital versatile disks (DVD)or other optical storage, magnetic cassettes, magnetic tape, magneticdisk storage or other magnetic storage devices, or any other media whichcan be used to store the desired information and which can be accessedby computer 402. Communication media typically embodies computerreadable instructions, data structures, program modules or other data ina modulated data signal such as a carrier wave or other transportmechanism and includes any information delivery media. The term“modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationmedia includes wired media such as wired network or direct-wiredconnection, and wireless media such as acoustic, RF, infrared and otherwireless media. Combinations of any of the above should also be includedwithin the scope of computer readable media.

The invention has been described herein in part in the general contextof computer-executable instructions, such as program modules, executedby one or more computers or other devices. Generally, program modulesinclude routines, programs, objects, components, data structures, etc.that perform particular tasks or implement particular abstract datatypes. Typically the functionality of the program modules may becombined or distributed as desired in various embodiments.

For purposes of illustration, programs and other executable programcomponents such as the operating system are illustrated herein asdiscrete blocks, although it is recognized that such programs andcomponents reside at various times in different storage components ofthe computer, and are executed by the data processor(s) of the computer.

Alternatively, the invention may be implemented in hardware or acombination of hardware, software, and/or firmware. For example, one ormore application specific integrated circuits (ASICs) could be designedor programmed to carry out the invention.

Product identifiers generated using a curve-based cryptosystem aredescribed herein. Although discussed primarily with reference to productidentifiers for application programs, the product identifiers can beassociated with any of a variety of goods, products, services, users,and so forth.

CONCLUSION

Although the description above uses language that is specific tostructural features and/or methodological acts, it is to be understoodthat the invention defined in the appended claims is not limited to thespecific features or acts described. Rather, the specific features andacts are disclosed as exemplary forms of implementing the invention.

1. One or more computer-readable media having stored thereon a pluralityof instructions that, when executed by one or more processors, causesthe one or more processors to perform the following acts: decrypting amessage using a secret, wherein decrypting the message comprises:decompressing the message to obtain a decompressed value; raising thedecompressed value to a particular exponent to obtain a resulting value,wherein the raising is based at least in part on the order of the groupof points on the Jacobian of the curve; and converting the resultingvalue to a number having a particular number of bits; and wherein thesecret comprises the order of a group of points on a Jacobian of acurve.
 2. One or more computer-readable media as recited in claim 1, theacts further comprising: checking whether a set of bits of theparticular number of bits represents a recognizable pattern; anddetermining that the number is valid if the set of bits do represent therecognizable pattern, and otherwise determining that the number isinvalid.
 3. One or more computer-readable media as recited in claim 1,wherein the curve comprises a hyperelliptic curve.
 4. One or morecomputer-readable media as recited in claim 1, the acts furthercomprising: recovering a portion of the decrypted message; checkingwhether the portion of the decrypted message corresponds to a particularproduct; and determining that authentication of the particular productsucceeds if the portion of the decrypted message corresponds to theparticular product, and otherwise determining that authentication of theparticular product fails.
 5. One or more computer-readable media asrecited in claim 1, wherein the message comprises a product identifiercorresponding to a copy of a product.
 6. A system comprising: means fordecrypting a message using a secret, wherein the means for decryptingthe message comprises: means for decompressing the message to obtain adecompressed value; means for raising the decompressed value to aparticular exponent to obtain a resulting value, wherein the raising isbased at least in part on the order of the group of points on theJacobian of the curve; and means for converting the resulting value to anumber having a particular number of bits; and wherein the secretcomprises the order of a group of points on a Jacobian of a curve.
 7. Asystem as recited in claim 6, further comprising: means for checkingwhether a set of bits of the particular number of bits represents arecognizable pattern; and means for determining that the number is validif the set of bits do represent the recognizable pattern, and otherwisedetermining that the number is invalid.
 8. A system as recited in claim6, wherein the curve comprises a hyperelliptic curve.
 9. A system asrecited in claim 6, further comprising: means for recovering a portionof the decrypted message; means for checking whether the portion of thedecrypted message corresponds to a particular product; and means fordetermining that authentication of the particular product succeeds ifthe portion of the decrypted message corresponds to the particularproduct, and otherwise determining that authentication of the particularproduct fails.
 10. A system as recited in claim 6, wherein the messagecomprises a product identifier corresponding to a copy of a product. 11.A system comprising: means for encrypting a message using a secret,wherein the means for encrypting comprises: means for receiving themessage; means for padding the received message using a recognizablepattern; means for converting the padded message to a number representedby a particular number of bits; means for converting the number to anelement of the Jacobian of a curve; means for raising the element to aparticular power; means for compressing the result of raising theelement to the particular power; and means for outputting, as anencrypted message, the compressed result; and wherein the secretcomprises the order of a group of points on the Jacobian.
 12. A systemas recited in claim 11, wherein the Jacobian comprises a Jacobian of ahyperelliptic curve.
 13. A system as recited in claim 11, wherein thecurve is given by the equation Y=f(X), wherein f(x) has a degree of2·g+1, and wherein g refers to the genus of the curve.
 14. A system asrecited in claim 11, wherein the message comprises a numeric valuecorresponding to a copy of a product, and wherein the encrypting createsa ciphertext that is a product identifier corresponding to the copy ofthe product.
 15. A system as recited in claim 14, wherein the numericvalue corresponds to only one copy of the product.